Opaque Token Introspection Strategy Flexibility #7344
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: enhancement
A general enhancement
Milestone
Most of the opaque token support anticipates the use of the OAuth 2.0 Introspection specification. For example, the authentication provider is
OAuth2IntrospectionAuthenticationProvider
.This really isn't true though, since the contract is simply
String
->Map
of attributes. It's sensible to hit any trusted API that will exchange something that is opaque to the resource server for an attribute map. Thus, something likeOpaqueTokenAuthenticationProvider
is more sensible.This aligns with the DSL:
jwt()
configures aJwtAuthenticationProvider
and nowopaqueToken()
would configure anOpaqueTokenAuthenticationProvider
.On the same note,
OAuth2IntrospectionAuthenticationToken
implies an OAuth 2.0 Introspection authentication strategy, which may not be true. Instead, let's useBearerTokenAuthentication
.The text was updated successfully, but these errors were encountered: